IE7 Security in Brief

While Rob Franco and Chris Wilson were presenting and getting feedback at PDC, I spent most of my time in smaller discussions (for example, with Paul and Joe) about the security work we’ve done in IE. The discussions reminded me that, before most of the team was working on IE7, before Rob posted about our overall approach to IE7 security, we heard three things about IE and security over and over: “take it out of the operating system (or integrate it less), get rid of ActiveX, and rewrite IE to be secure.”

Now, no one wants to hear what these steps (if done literally) would break. Windows applications (like the AOL client, or Office) use IE technologies to show users HTML email, to download files from the internet, and more. Similarly, no one wants to hear that every browser has its own ActiveX equivalent in order to support great technologies like Macromedia Flash and media players.

I wanted to step back from the threat-driven way we’ve thought about security for just one blog post and talk about our work in terms of what we heard people ask us for.

We heard people ask for more separation between the browser and Windows. In IE7, we built a containment wall around IE by running it in Protected Mode. In this mode, IE can browse the web but cannot install software (good or bad) or change settings on the user’s computer without explicit user consent. Because the foundation work to make this possible is in Windows Vista, this feature is not available on the XP version of IE7. Expect to read more about the details of how this works, and how IE balances compatibility (e.g. users still want their toolbars to work!) with security, in another post.

We heard people say that ActiveX controls had too much privilege. In IE7, we made sure that the only ActiveX controls available to IE were the ones intended for use on the internet. Microsoft Windows includes many, many ActiveX controls. For example, an application developer can use IE technology to browse the web inside her application by using a particular ActiveX. While only some ActiveX controls were intended for use inside IE by web sites, many of them identify themselves as available for use inside IE. We decided that allowing ActiveX controls to run in IE should be the exception, not the rule. IE7 will block all ActiveX controls from running in the browser except for controls that were explicitly intended for the browser. That list is under the user’s control. Of course, to keep mainstream web sites running, the most commonly used, clearly intended for the web, ActiveX controls (like Flash) will be on that list by default. We started getting feedback on this feature from developers at PDC. Expect a blog post with more detail so we can get your feedback on it before beta 2.

We heard people say that we should just start over from scratch. In IE7, we identified, via threat-modeling, the most critical parts of IE and focused our rewriting efforts on those parts. For example, we didn’t need to rewrite all HTML parsing in order to make IE more secure, but URL parsing and the enforcement of cross-domain security were clearly important parts to re-work this release. If you were at Rob’s PDC talk or if you have read about threat modeling, you’ll understand why we focused on threats rather than on rewriting for its own sake. While it’s hard to see the effects of these changes in every day browsing with IE7 (well, except for now supporting International Domain Names), these parts of the product are more resilient against attack and are still compatible with the web.

The things people asked for so much a year ago represent only a subset of what we did in IE7 and Windows Vista. I think the Phishing filter and other anti-fraud work that we’ve done is important. The Parental Controls work that teams showed at PDC is another aspect of protecting people while they’re using the internet. None of this security counts unless corporations can deploy it; we’ve done work (like the application compatibility tool and better Group Policy support) to make deployment easier. There’s also additional functionality around the user experience of security that will come out with beta 2.

How does this interact with security zones? Is there one list per zone, or a global one?

> There’s also additional functionality around

> the user experience of security that will

> come out with beta 2.

There was an IE 5 Web Accessory that add menu entries (under Tools) for changing the security zone of a domain (it still works with IE 6, btw), and Win2k3 had similar functionality to support the Enhanced Security Configuration. Did you consider/will you include something like that in IE 7?

Lionel, ActiveX Opt-in will use the list in "Manage Add-ons" with a few tweaks. The list will be enforced for the Internet Zone by default but users and IT pros may choose to use the feature in other zones as well. -Rob

The containment feature of IE7 will really put it apart from other browsers, but I keep hearing that the foundations for this are only in Vista. Is that really so? On XP today, I am running Explorer (and Media Player, QuickTime, Messenger etc) with rights equivalent to a Limited User, although my user is an Administrator. It works through Group Policy and I believe the technology is called SAFER. Even more limited rights can be set in XP through GP, but of course the applications break because they haven’t been adapted to these constrained rights (with broker processes and whatever IE7 on Vista will use).

So, what is really missing in XP to make IE7 as secure as on Vista there too?

Both to have IE running ActiveX and to have it being used by other components make very good sense for software development. To safeguard this capability, the critical path (putting downloadable components into the appropriate compartments/domains based on URL) needs better investigation, which is exactly what the IE team is doing. Keep the good job.

What about a spoofing catcher… such as if you click on a link that says "www.bankofamerica.com" (example), but it takes you to a site with a SIMILAR, but not exact domain, have the notification bar popup that says "Warning, you have clicked on a link that is not what it seems… blah blah blah".

Surely you can implement a similar sandbox system under XP, just create a special user that can only write to temporary internet files, and use the same method you mentioned in the channel9 vid for actions requiring more privileges?

All the applications that embed "Internet Explorer" really only embed Trident, right? So removing Internet Explorer is perfectly possible, you just don’t want to do it. That’s fine, but don’t pretend you are doing it because things will break otherwise.

If all the bits of the OS that rely on "Internet Explorer" could get along just fine with Trident, there was never anything forcing you to bundle a fully-fledged web browser with Windows. You could have provided a simple browser equivalent in quality to something like Lynx, so that people could download the browser of their *choice*. Much as you did with FTP – anybody who actually uses FTP on a regular basis downloads something else instead of http://ftp.exe.

I agree that it’s pretty meaningless to rant about "removing Internet Explorer" from a security perspective though.

Have I missed something or does Flash work without activeX in all the other browsers?

In regards to sites like bank of America, their SSL only kicks in AFTER you have sent your SS unencrpyted over the net. How about some feature that would always show the security level of sensitive information, such as a red X’ed out lock ti denote the lack of SSL on any information being submitted?

Will the reduced rights for activeX effect sites such as housecall.trendmicro.com? I hate resource hogging programs and have not been able to find a program that runs less then 5 or 6 proccesses just to do real time virus protection (a program should be allowed one proccess as far as I’m concerned) and therefor since I don’t resort to using my computer insecurly (in regards to viruses) by using Outlook using enabling Java clientside I tne dto visit sites such as that which I can do an occasional virus scan.

Mike, I think that under XP you don’t even need to create a special user. There are ways to "strip" the administrative privileges from an Administrator account and add the RESTRICTED group to the token for a process (so it can’t access many files or registry keys locally). I wonder why this will only be done on Vista, though.

ActiveX is basically a programming interface convention, used everywhere in Windows. IE simply uses this interface for its binary plugins/extensions. The security issues apply to any kind of binary (machine code — JIT-ed or interpreted code is another matter) extension.

It would be really nice if MSFT would take on the task of creating a logo program that includes a security testing methodology for ActiveX controls and publish a list of controls that have passed. Safe for IE7 anyone?

Contrived example, I know, but leaving referrers switched on is basically an assumption that there will never be any sensitive information in any of the URLs you visit. I don’t think that assumption is warranted, do you?

Proxies aren’t enough to disable referrers, as pages can still find this information through Javascript (and also detect when a proxy is attempting to filter them out). This is something that needs actual browser support.

Many of those are css fanatics: all they can do is css, and they wonder why they cannot have an internet where their only talent rules.

Unable to achieve the same results via a combination of Css and Javascript (although BOTH style and javascript could go disabled, not only the latter), they find that the solution is to blame IE for their own shortcomings.

They live in a world where bugs do not exist. I have never seen such a world, in NO field.

ActiveX, many of them repeat by hearsay, they don’t even really know what they are.

As for those who are not css fanatics, in politics we follow the votes, in economics we follow the money: if making of security and of strict w3c compliance an issue is enought to take away a market share from Microsoft, why not venting it considering how high the revenue is for so cheap a price? After all, Opera has banners. And Netscape with its Mozilla engines is at the Nasdaq.

It is the right approach to listen to the complaints and try to meet them. But nothing of this should make you unaware that the purpose of the complaints has never been having a better IE product (god forbid isn’t it!?) , but that of taking away money from Microsoft’s current market share.

True, it’s not an engineer’s concern: but it’s still a Microsoft challenge.

They will find another way to attack you and Microsoft engineers, unless you won’t start attacking them on the same grounds too rather than just reacting.

They say you’re "catching up" – you’re not, really: you will really "catch up" when you’ll start fighting this fight also per what it is: fictional complaints propaganda to get market shares.

You need your Google like Chief Evangelist lol.

They are as much insecure as any other can be, or as much secure as any other can be. They only know that human credulity and stupidity (and pride!) is above artifical intelligence bugs: they just start spreading rumors, and they found out they haven’t even to pay the cheerleeaders in order to find zelous supporters.

IE7 can be fabulous. All the more get ready for the next wave: if it paid off the first time, they’re just going to invent another one, once released IE7, basing it on _minimal_ grounds of truth like any good stealth and slandering approach should do.

Follow the money, not the complaint. Let the css fanatics believe it has ever been about the complaints.

I see no reason to style a website through JS rather than CSS, except I need something IE isn’t capable of and am in an intranet. The (X)HTML for markup, CSS for style approach seems the best to me. And using JS for that is like, well, formatting a list with ActiveX. It is not needed, so why not just keep it simple and maintainable?

As a sidenote: Opera doesn’t seem to have banners anymore.

Also I like it everytime I read someone saying that "the purpose of complaints is not to get a better product", that’s right. I don’t use IE myself, but the internet is. And I have to design and develop for the internet. So it would be great if Microsoft joins the game and follows the rule instead of punching the referee’s in the nuts and singing something about "walking on sunshine" everytime they got to the Touch-Down-Area with their huge coloured tank. That would be constructive.

"They are as much insecure as any other can be"

Well, with that kind judging on people you do not know, well, that do not even exist, since you’re projecting your mental categories to masses of people, I just recommend a bit observation on your own communications.

Well, it’s finally up to Microsoft how they decide to go. Maybe they’ll follow the path you suggested. If they do, let’s meet exactly here in 5 years again.

If Internet Explorer now uses seperate processes for the browser and for the save-dialogue: Will it still be possible in Vista that this restricted process for the browser that only can write to the TIF would just send windows messages to explorer to open the start menu and run a virus?

The answer is "no". This kind of attack (called a "shatter attack") is blocked by the integrity control in UAP. Window messages can only be sent to processes with the same or lower integrity level. Since IE will be running with low integrity, it can only send messages to other low integrity processes.

A rewrite is probably best avoided. In any large body of code, it’s not impossible that you’ll just introduce more bugs than you eliminate, especially when the rewrite is rushed or tries to add features as well as lock things down.

Auditing subsystems, looking for bad code hotspots and fixing specific design problems in the current codebase is most likely a much better way to go. So three cheers for the IE folks, hopefully I won’t have to try to disable the browser (transproxy checking user-agent, all javascript, activex, etc disabled) in future.

Tony, that is really cool that this kind of attack is now mitigated. All those people who now run their browser with another account, but on the same desktop are probably only secure because no virus uses SendKeys because it’s not common.

> If so, css is just one of the ways to implement a law, not a precised prescription of the law. Whether I attain the goal via css only or via css and javascript both, the law goes satisfied.

Not when user-agents typically used by disabled people don’t cope well or at all with Javascript, and not when consensus among experts explicitly warns against reliance on Javascript (see WCAG).

You are right in saying that CSS is not specifically required by law. Yet it’s the only appropriate method for most websites. If you end up on the wrong side of a lawsuit, you’re going to have a hard time explaining why you ignored specific advice from the W3C:

> For instance aural sheets: I often wished I could use a bit of them, but what’s the point with the effort when you won’t see browsers around able to interpret them correctly?

Opera and EMACS-W3/Emacspeak support aural stylesheets today.

> Whom will the law jail? IE? Me? You? Everybody?

This is why it sounds a bit puzzling you see.

Accessibility laws are not usually criminal, but civil in nature. You won’t see anybody jailed, but you will see fines. SOCOG, the Sydney Olympics committee, were fined A$20,000 for not making their website accessible.

Lots of people settle out of court (e.g. AOL) or don’t let it get that far in the first place by fixing their websites when people complain.

> The issue is not css yes or css not. The issue is on whether we should reserve our refined critical capabilities to blame Microsoft only as we DO, whereas as herds of sheep we say "yessir" to the W3C whichever absurdity it implements.

That’s a false dichotomy. Microsoft are a member of the W3C, Microsoft have members on the CSS working group, if the specifications that the CSS working group author are not acceptable to Microsoft, then that’s their own fault.

> So, we’re teaching our programmers to respect a rule simply because it has been made a rule with a tap of a selector on the shoulders.

The W3C is an industry consortium with members from across the whole community, working for all kinds of different companies.

They aren’t some shadowy group that are dictating standards – they are arriving at community consensus and publishing the results.

> Wrong rationale behind it, SHOULD have been the OTHER way round. BAD PICK lol 🙂

That’s your opinion, and you are entitled to it.

However, the CSS working group obviously had a different opinion to you. That working group is made up of people working on browsers, people working on web development tools, web developers, and so on.

With all due respect, I think they are more qualified to decide what is appropriate than some random person posting on the IE Blog.

> IE is CORRECT, though the W3C might go differently. We cannot accuse Microsoft of standard lack of compliance even when it corrects a W3C bug

Internet Explorer is not correct, because it’s not a W3C bug. You might not think that the W3C’s decision was correct, but the Internet Explorer developers chose to use CSS rather than some proprietary concoction. You can’t just pick and choose parts of the specification you like and do something else when it suits you – that defeats the whole purpose of having a specification in the first place.

> The W3C spec is wroing there. It is surprising that whereas we so eagerly allow blaming IE for whatever, we consider anathema blaming the W3C for clearly questionable specifications.

Who is the "we"? It seems you are attacking a straw-man there. Who are these people who consider it anathema to criticise the W3C?

> Unless, as I said and that’s the point, it’s just a staged technique to take away market shares from IE exploited by third parties.

It would be quite idiotic to include Microsoft in this scheme then, wouldn’t it?

> A few guys will get the money (ours) while we will go on cheering for free.

Who pays for a browser these days? Even Opera is free.

> IE is good. If it doesn’t implement all css, who cares.

Web developers. If you can really say "who cares?" then I strongly doubt you do much web development.

> Go validate Yahoo and get 301 w3c validation errors today: shall we jail them, or shall we go on using their services quite successfully

Another false dichotomy. Nobody is calling for them to be jailed, but condoning it is not the only alternative.

There are other reasons why I would love to see ActiveX be deprecated and eventually, someday down the line, abandoned entirely. Yes, it has been a security nightmare up to this point. But it has also been one of the biggest setbacks to web standards. Why is there still no next-generation forms standard on the web? Because nonstandard, proprietary technologies like ActiveX have been "good enough" up to this point, but result in websites that are incompatible with other browsers. Tying users into one browser (or other application) is the worst security problem of all, because the user loses the ability to choose a more secure product.

Secunia is a company that makes money by claiming that IE is bad so you need to buy their product.

Secunia saying something is a security bug doesn’t make it so. Most of these "unpatched" bugs are really stupid like "I can make the status bar say what I want it to" or "I can see if there’s a certain file on your computer but I can’t read it or do anything to it." Big friggin’ deal.

> Have I missed something or does Flash work >without activeX in all the other browsers?

AFAIK, every browser but Internet Explorer uses the old Netscape Plugin system for implementing browser plugins. The main difference between NP and ActiveX (and the reason ActiveX gets bashd so much) is that Netscape Plugins can ONLY run as Internet components, whereas ActiveX is used all over Windows. So generally ActiveX has more freedom (though from what I’m reading, that’s one of the things being dealt with in IE7).

There’s no reason that you can’t have IE libraries be seperate from the libraries used for other software programs and the Explorer shell. One of the most annoying things about Internet Explorer is when it gets screwed up, there’s no way to re-install it. De-integrating, and having two seperate library bases would not only lessen the impact of security holes, but would also allow for removal and reinstall of the browser itself.

Possibly in the Usa they are (I thank you for the hint, I "stored" it), although I do not think (you can correct me, of course) there exist any law that mentions "css". Would sound grotesque.

If so, css is just one of the ways to implement a law, not a precised prescription of the law. Whether I attain the goal via css only or via css and javascript both, the law goes satisfied.

Or doesn’t it? Feel free to correct me, but not for the sake of it 🙂

Though I understand this is not the appropriate forum, if you have a link where any text of such laws can be read, I think many could be interested. Though the fact a law is enacted in, say, Nebraska, doesn’t mean it has to be respected in Holland – WORLD wide web (which accounts for my grammatical mistakes: I am not an english native speaker).

For instance aural sheets: I often wished I could use a bit of them, but what’s the point with the effort when you won’t see browsers around able to interpret them correctly?

Whom will the law jail? IE? Me? You? Everybody?

This is why it sounds a bit puzzling you see.

Yet all this doesn’t erase the fact that we already have css, and that no one sponsors a world without css (although there has been even a time when there was not only no css, but even no internet, and the world just went on producing abominations and masterpieces as well lol).

The issue is not css yes or css not. The issue is on whether we should reserve our refined critical capabilities to blame Microsoft only as we DO, whereas as herds of sheep we say "yessir" to the W3C whichever absurdity it implements. It seems we implicitly assume that what the W3C does, that is right because it implements a standard in the same line it makes a mistake. Forget the mistake, gulp the (flawed) standard. Say it tasted fine.

So, we’re teaching our programmers to respect a rule simply because it has been made a rule with a tap of a selector on the shoulders.

The W3C sets specifications where if you set the height of a layer and also declare its overflow property to ‘visible’, yet the height prevails.

Why? Wrong rationale behind it, SHOULD have been the OTHER way round. BAD PICK lol 🙂

If an overflow is openly stated as ":visible", Mozilla will show contents overflowing outside the container if they exceed the HEIGHT. That is, the overflow goes unnoticed.

IE, on the contrary, STRETCHES the layer.

IE is CORRECT, though the W3C might go differently. We cannot accuse Microsoft of standard lack of compliance even when it corrects a W3C bug – oops I forgot for a moment that only Microsoft engineers can produce bugs rofl.

Observing the height and yet interpreting the specific & specified overflow command of a layer as a request to reproduce the DEFAULT behavior we ALREADY had, and therefore as an added license to span beyond the boundaries of the container, is equivalent to making the overflow instruction impotent and as if it weren’t: and yet it is.

Omit the overflow statement in order not to stretch, rather than omitting the height in order to stretch: because it is the height that is made for its overflow specification, not the overflow specification for its height.

Viceversa, makes NO sense.

The W3C spec is wroing there. It is surprising that whereas we so eagerly allow blaming IE for whatever, we consider anathema blaming the W3C for clearly questionable specifications.

Unless, as I said and that’s the point, it’s just a staged technique to take away market shares from IE exploited by third parties. A few guys will get the money (ours) while we will go on cheering for free.

IE is good. If it doesn’t implement all css, who cares. Go validate Yahoo and get 301 w3c validation errors today: shall we jail them, or shall we go on using their services quite successfully as we always did with all browsers and OS?

Demystify the W3C. It’s not G-d, though we may still make an idol of it.

What fantasy shall our programmers nurture if they learn to worship statements just because they are turned official and they detect no longer those that have turned rotten, and if they learn to revere wrong solutions simply because they have been lent by an authority?

They are cannon fodder for MORAL phishing.

«Cerf said he often meets young people pursuing radical ideas in technology because "they don’t know you can’t do that, so they go and do it."

"And there’s nothing more refreshing than that (can do) attitude," he said.»

[Vinton Cerf]

I won’t add more about this. I already wrote too much. But I want to defend IE for that good product that it IS. Css fixed layers are like heaven, they CAN wait.

What I’d like to see is the message "do you want to run ActiveX Controls" changed to tell you what control it is. Most of the time it is just Flash which I have intentionally installed, but the message is way too ambiguous considering all the things ActiveX Controls can do. Better yet, if I installed it then let me specify if I want to run or prompt separately from the world of unknown ActiveX Controls.

As we know,there are many great browsers that growing up today,such as Firefox,GreenBrowser,Maxthon and so on. these browsers have one common characteristic that is simply extended (not like IE,made a plug-in must by compiled language,such as C++,VB).

So I think,why not write a engine which execute some plug-ins ware wrote by JS or DLL(just like GreenBrowser)?

On lucky,I have written this kind of engine,

it let you can wirte a plug by JS or DLL,

and can also execute plug as you want(just config the runat event in the plugin.xml).

Ever since the first IE7 beta came out, I’ve been mystified by a security dialog that came up on my site, prompting me to approve or deny the installation of the Windows Media 6.4 Shim [screengrab, 32K PNG]. Today I…

Mike Danseglio, the Program Manager for the Security Solutions group at Microsoft blames users for the Windows security nightmare, saying &quot;there really is no patch for human stupidity.&quot; Nice one, Mike. Actually, Mike, there really is no patch

According to Microsoft’s IEBlog, IE7 is coming this month — Are you Ready? Most of the expected compatibility issues are in CSS filter hacks that will no longer work in IE7. However, in working with the IE 7 Release Candidate…

According to Microsoft’s IEBlog, IE7 is coming this month…Are you Ready?, with auto-update kicking in a few weeks after the download is made available. Most of the expected compatibility issues are in CSS filter hacks that will no longer work…